in Cloud it all happens

Servlerless Secured API

This is a continuation of the Serverless Reservation application started in previous posts.

There should be nothing simpler than securing the API with API key passed in request header.
Servlerless documentation states that it already supports it without additional coding.
All we need to do is to update handler definition in serverless.yml

We have added apiKeys param in the provider definition, secret is the name of the key.
If we had multiple API keys we could identify them by name and distribute to multiple users so that each of them has own key.

The header which clients should pass in each request must be always x-api-key because Amazon does not support custom names at the moment - see this discussion.

Let’s test it.

We will use the code developed in previous blogpost.
When we deploy the application it will print out the generated value for the API key to use in header.
The same we can get with command:

Booo..! this time we get the same error. It does not work.
There is an open issue already.
We need extra manual work to add the API key created in CloudFormation by Serverless framework to usage plan.
This page explains very well how to configure Usage Plan on AWS.

When we login to AWS console and navigate to API Gateway panel we can see that our API Key is already present

but Usage Plan is empty so we need to create it.

Here is how we do it:

Click Create button and fill in the form

Click Next.

Choose API and Stage - we have only one of each so it should not be confusing.

We cannot continue further because the little orange triangle next to selected API shows an error that not all resources in the API are secured with a key.
This is because our former /hello endpoint is not secured. As we’re not going to need it anymore we can just delete it and come back to Usage Plan creation.